top | item 47205484

(no title)

lxgr | 13 hours ago

I think it's actually the RP being broken, not my authenticator. Conceptually, it's the RP's burden to either avoid this situation or allow eventual consistency:

There's an explicit mechanism in WebAuthN to avoid duplicate credential generation (excludeCredentials). If a RP still insists on rotating, what they should be doing is to first add the new credential, perform a successful authentication with it, and then retire the old one.

So the problem only happens if a "single passkey only" site does not support excludeCredentials, as far as I can tell.

discuss

No comments yet.